CVE-2025-59431: 
Linux Debian vulnerability analysis and mitigation

MapServer, a system for developing web-based GIS applications, was found to contain a SQL injection vulnerability (CVE-2025-59431) in version 8.4.0. The vulnerability exists in the XML Filter Query directive PropertyName, where expression checking can be bypassed using double quote characters, allowing manipulation of backend database queries. The vulnerability was discovered by researchers JHarmsen and AWarringa and was fixed in version 8.4.1 (GitHub Advisory).

The vulnerability affects MapServer 8.4.0 built from source with various build configurations including PROJ version 9.3.1 and GDAL version 3.9.2. The SQL injection vulnerability is triggered through the WFS XML Filter Query directive, where attackers can bypass expression checking by introducing double quote characters in the PropertyName parameter. The vulnerability has been assigned a CVSS v4.0 score of 8.9 HIGH with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability allows attackers to manipulate backend database queries through SQL injection. This could potentially lead to unauthorized access to database contents, modification of data, or execution of unauthorized database operations. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in MapServer version 8.4.1. Users are advised to upgrade to this version to protect against potential SQL injection attacks. No alternative workarounds have been published (GitHub Advisory).